Skip to content

OAuth vulnerability in using submitted authorization token for authentication

Zachary Ware edited this page Jun 4, 2019 · 3 revisions


  • CVE-2019-12300


  • Authentication vulnerability
  • OAuth authorization token being used for user authentication


  • Reported: 7 May 2019
  • Fix merged into master: 9 May 2019
  • Fix in a release: 22 May 2019


Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user.

Impact analysis

The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios.

If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim.

Versions vulnerable

Buildbot 0.9.5 to 1.8.1, 2.0.0 to 2.3.0 (inclusive)

Fixed versions

Buildbot 2.3.1 and 1.8.2

Mitigations and patches

Either of the following can be used to mitigate the vulnerability:

OAuth login can be disabled in Buildbot configuration.

Patch can be applied:

Alternatively Buildbot can be upgraded to v2.3.1 or v1.8.2.


  • Thanks to Phillip Kuhrt for finding and reporting this vulnerability responsibly.
You can’t perform that action at this time.